def test_example_k1_report(self):
testfile = open("dojo/unittests/scans/sarif/appendix_k1.sarif")
test = Test()
parser = SarifParser()
findings = parser.get_findings(testfile, test)
self.assertIsNotNone(test.title)
self.assertEqual(0, len(findings))
def test_example_report_scanlift_bash(self):
testfile = open("dojo/unittests/scans/sarif/bash-report.sarif")
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(27, len(findings))
# finding 0
item = findings[0]
self.assertEqual(
"file:///home/damien/dd/docker/setEnv.sh",
item.file_path,
)
self.assertIsNone(item.cve)
self.assertEqual(
datetime.datetime(2021,
3,
8,
15,
39,
40,
tzinfo=datetime.timezone.utc), item.date)
# finding 6
item = findings[6]
self.assertEqual(
"Decimals are not supported. Either use integers only, or use bc or awk to compare.",
item.title,
)
self.assertEqual("Info", item.severity)
self.assertIsNone(item.cve)
for finding in findings:
self.common_checks(finding)
def test_codeql_snippet_report(self):
testfile = open(
path.join(path.dirname(__file__),
"../scans/sarif/codeQL-output.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(72, len(findings))
item = findings[7]
self.assertEqual("good/mod_user.py", item.file_path)
self.assertEqual(33, item.line)
self.assertEqual("Critical", item.severity)
description = """**Result message:** Keyword argument 'request' is not a supported parameter name of [function create](1).
**Snippet:**
```
response = make_response(redirect('/'))
response = libsession.create(request=request, response=response, username=username)
return response
```
**Rule name:** py/call/wrong-named-argument
**Rule short description:** Wrong name for an argument in a call
**Rule full description:** Using a named argument whose name does not correspond to a parameter of the called function or method, will result in a TypeError at runtime."""
self.assertEqual(description, item.description)
for finding in findings:
self.common_checks(finding)
def test_example_k1_report(self):
testfile = open(
path.join(path.dirname(__file__),
"../scans/sarif/appendix_k1.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(0, len(findings))
def test_example_report_taint_python(self):
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/taint-python-report.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(11, len(findings))
# finding 0
item = findings[0]
self.assertEqual(
"file:///home/damien/dd/dojo/tools/veracode/parser.py",
item.file_path,
)
self.assertIsNone(item.cve)
self.assertEqual(datetime.datetime(2021, 3, 8, 15, 46, 16, tzinfo=datetime.timezone.utc), item.date)
# finding 2
item = findings[2]
self.assertEqual(
"file:///home/damien/dd/dojo/tools/qualys_infrascan_webgui/parser.py",
item.file_path,
)
self.assertEqual(169, item.line)
# finding 6
item = findings[6]
self.assertEqual(
"XML injection with user data from `filename in parser_helper.py:167` is used for parsing XML at `parser_helper.py:23`.",
item.title,
)
self.assertEqual("Critical", item.severity)
self.assertIsNone(item.cve)
for finding in findings:
self.common_checks(finding)
def test_example2_report(self):
testfile = open(
path.join(path.dirname(__file__),
"../scans/sarif/appendix_k.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(1, len(findings))
item = findings[0]
self.assertEqual("collections/list.h", item.file_path)
self.assertEqual(15, item.line)
self.assertEqual("Critical", item.severity)
description = """**Result message:** Variable "ptr" was used without being initialized. It was declared [here](0).
**Snippet:**
```add_core(ptr, offset, val);
return;```
**Rule short description:** A variable was used without being initialized.
**Rule full description:** A variable was used without being initialized. This can result in runtime errors such as null reference exceptions."""
self.assertEqual(description, item.description)
self.assertEqual(
datetime.datetime(2016,
7,
16,
14,
19,
1,
tzinfo=datetime.timezone.utc), item.date)
for finding in findings:
self.common_checks(finding)
def test_mobsfscan(self):
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/mobsfscan.json"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(9, len(findings))
for finding in findings:
self.common_checks(finding)
def test_njsscan(self):
"""Generated with opensecurity/njsscan (https://github.com/ajinabraham/njsscan)"""
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/njsscan.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(2, len(findings))
# finding 0
finding = findings[0]
self.assertEqual(
"file:///src/index.js",
finding.file_path,
)
self.assertIsNone(finding.cve)
self.assertEqual(datetime.datetime(2021, 3, 23, 0, 10, 48, tzinfo=datetime.timezone.utc), finding.date)
self.assertEqual(327, finding.cwe)
# finding 1
finding = findings[1]
self.assertEqual(
"file:///src/index.js",
finding.file_path,
)
self.assertEqual(235, finding.line)
self.assertEqual(datetime.datetime(2021, 3, 23, 0, 10, 48, tzinfo=datetime.timezone.utc), finding.date)
self.assertEqual(798, finding.cwe)
for finding in findings:
self.common_checks(finding)
def test_flawfinder(self):
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/flawfinder.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(53, len(findings))
for finding in findings:
self.common_checks(finding)
with self.subTest(i=0):
finding = findings[0]
self.assertEqual(
"random/setstate:This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327).",
finding.title,
)
self.assertEqual("Critical", finding.severity)
description = """**Result message:** random/setstate:This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327).
**Snippet:**
``` is.setstate(std::ios::failbit);```
**Rule name:** random/setstate
**Rule short description:** This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327)."""
self.assertEqual(description, finding.description)
self.assertEqual("src/tree/param.cc", finding.file_path)
self.assertEqual(29, finding.line)
self.assertEqual(327, finding.cwe)
self.assertEqual("FF1048", finding.vuln_id_from_tool)
self.assertEqual("https://cwe.mitre.org/data/definitions/327.html", finding.references)
with self.subTest(i=20):
finding = findings[20]
self.assertEqual(
"buffer/memcpy:Does not check for buffer overflows when copying to destination (CWE-120).",
finding.title,
)
self.assertEqual("Info", finding.severity)
description = """**Result message:** buffer/memcpy:Does not check for buffer overflows when copying to destination (CWE-120).
**Snippet:**
``` std::memcpy(dptr, dmlc::BeginPtr(buffer_) + buffer_ptr_, size);```
**Rule name:** buffer/memcpy
**Rule short description:** Does not check for buffer overflows when copying to destination (CWE-120)."""
self.assertEqual(description, finding.description)
self.assertEqual("src/common/io.cc", finding.file_path)
self.assertEqual(31, finding.line)
self.assertEqual(120, finding.cwe)
self.assertEqual("FF1004", finding.vuln_id_from_tool)
self.assertEqual("https://cwe.mitre.org/data/definitions/120.html", finding.references)
with self.subTest(i=52):
finding = findings[52]
self.assertEqual(
"buffer/sscanf:The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20).",
finding.title,
)
self.assertEqual("Critical", finding.severity)
description = """**Result message:** buffer/sscanf:The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20).
**Snippet:**
``` if (sscanf(argv[i], "%[^=]=%s", name, val) == 2) {```
**Rule name:** buffer/sscanf
**Rule short description:** The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20)."""
self.assertEqual(description, finding.description)
self.assertEqual("src/cli_main.cc", finding.file_path)
self.assertEqual(482, finding.line)
self.assertEqual("FF1021", finding.vuln_id_from_tool)
self.assertEqual("https://cwe.mitre.org/data/definitions/120.html", finding.references)
def test_dockle(self):
"""Generated with goodwithtech/dockle (https://github.com/goodwithtech/dockle)"""
testfile = open("dojo/unittests/scans/sarif/dockle_0_3_15.sarif")
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(4, len(findings))
for finding in findings:
self.common_checks(finding)
with self.subTest(i=0):
finding = findings[0]
self.assertEqual("CIS-DI-0010", finding.vuln_id_from_tool)
self.assertEqual("Critical", finding.severity)
self.assertIn("Do not store credential in ENVIRONMENT vars/files",
finding.description)
with self.subTest(i=1):
finding = findings[1]
self.assertEqual("CIS-DI-0005", finding.vuln_id_from_tool)
self.assertEqual("Info", finding.severity)
self.assertEqual("Enable Content trust for Docker",
finding.description)
with self.subTest(i=2):
finding = findings[2]
self.assertEqual("CIS-DI-0006", finding.vuln_id_from_tool)
self.assertEqual("Info", finding.severity)
self.assertEqual(
"Add HEALTHCHECK instruction to the container image",
finding.description)
with self.subTest(i=3):
finding = findings[3]
self.assertEqual("CIS-DI-0008", finding.vuln_id_from_tool)
self.assertEqual("Info", finding.severity)
self.assertEqual("Confirm safety of setuid/setgid files",
finding.description)
def test_mobsfscan(self):
testfile = open("dojo/unittests/scans/sarif/mobsfscan.json")
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(9, len(findings))
for finding in findings:
self.common_checks(finding)
def test_example_report(self):
testfile = open(
"dojo/unittests/scans/sarif/DefectDojo_django-DefectDojo__2020-12-11_13 42 10__export.sarif"
)
test = Test()
parser = SarifParser()
findings = parser.get_findings(testfile, test)
self.assertIsNotNone(test.title)
self.assertEqual(510, len(findings))
def test_example_k3_report(self):
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/appendix_k3.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(1, len(findings))
item = findings[0]
self.assertEqual('The insecure method "Crypto.Sha1.Encrypt" should not be used.', item.title)
for finding in findings:
self.common_checks(finding)
def test_example_report(self):
testfile = open(
"dojo/unittests/scans/sarif/DefectDojo_django-DefectDojo__2020-12-11_13 42 10__export.sarif"
)
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(510, len(findings))
item = findings[0]
for finding in findings:
self.common_checks(finding)
def test_example_report_ms(self):
"""Report file come from Microsoft SARIF sdk on GitHub"""
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/SuppressionTestCurrent.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(4, len(findings))
item = findings[0]
self.assertEqual("New suppressed result.", item.title)
for finding in findings:
self.common_checks(finding)
def test_example_k3_report(self):
testfile = open("dojo/unittests/scans/sarif/appendix_k3.sarif")
test = Test()
parser = SarifParser()
findings = parser.get_findings(testfile, test)
self.assertIsNotNone(test.title)
self.assertEqual(1, len(findings))
item = findings[0]
self.assertEqual(
'The insecure method "Crypto.Sha1.Encrypt" should not be used.',
item.title)
def test_example_report(self):
testfile = open(
path.join(
path.dirname(__file__), "../scans/sarif/DefectDojo_django-DefectDojo__2020-12-11_13 42 10__export.sarif"
)
)
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(510, len(findings))
for finding in findings:
self.common_checks(finding)
def test_example_report_ms(self):
"""Report file come from Microsoft SARIF sdk on GitHub"""
testfile = open(
"dojo/unittests/scans/sarif/SuppressionTestCurrent.sarif")
test = Test()
parser = SarifParser()
findings = parser.get_findings(testfile, test)
self.assertIsNotNone(test.title)
self.assertEqual(4, len(findings))
item = findings[0]
self.assertEqual("New suppressed result.", item.title)
def test_example_report_semgrep(self):
testfile = open(
"dojo/unittests/scans/sarif/semgrepowasp-benchmark-sample.sarif")
test = Test()
parser = SarifParser()
findings = parser.get_findings(testfile, test)
self.assertIsNotNone(test.title)
item = findings[0]
self.assertEqual(
"src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02660.java",
item.file_path,
)
def test_example_report_semgrep(self):
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/semgrepowasp-benchmark-sample.sarif"))
test = Test()
parser = SarifParser()
findings = parser.get_findings(testfile, test)
self.assertEqual(1768, len(findings))
item = findings[0]
self.assertEqual(
"src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02660.java",
item.file_path,
)
for finding in findings:
self.common_checks(finding)
def test_example_k2_report(self):
testfile = open("dojo/unittests/scans/sarif/appendix_k2.sarif")
test = Test()
parser = SarifParser()
findings = parser.get_findings(testfile, test)
self.assertIsNotNone(test.title)
self.assertEqual(1, len(findings))
item = findings[0]
self.assertEqual("src/collections/list.cpp", item.file_path)
self.assertEqual(15, item.line)
self.assertEquals(
"A variable was used without being initialized. This can result in runtime errors such as null reference exceptions.",
item.description,
)
def test_example_k2_report(self):
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/appendix_k2.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(1, len(findings))
item = findings[0]
self.assertEqual('Variable "count" was used without being initialized.', item.title)
self.assertEqual("src/collections/list.cpp", item.file_path)
self.assertEqual(15, item.line)
description = """**Result message:** Variable "count" was used without being initialized.
**Rule full description:** A variable was used without being initialized. This can result in runtime errors such as null reference exceptions."""
self.assertEquals(description, item.description)
for finding in findings:
self.common_checks(finding)
def test_dockle(self):
"""Generated with goodwithtech/dockle (https://github.com/goodwithtech/dockle)"""
testfile = open(
path.join(path.dirname(__file__),
"../scans/sarif/dockle_0_3_15.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(4, len(findings))
for finding in findings:
self.common_checks(finding)
with self.subTest(i=0):
finding = findings[0]
self.assertEqual("CIS-DI-0010", finding.vuln_id_from_tool)
self.assertEqual("Critical", finding.severity)
description = """**Result message:** Suspicious ENV key found : DD_ADMIN_PASSWORD, Suspicious ENV key found : DD_CELERY_BROKER_PASSWORD, Suspicious ENV key found : DD_DATABASE_PASSWORD
**Rule short description:** Do not store credential in ENVIRONMENT vars/files"""
self.assertEqual(description, finding.description)
self.assertEqual(
"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0010",
finding.references)
with self.subTest(i=1):
finding = findings[1]
self.assertEqual("CIS-DI-0005", finding.vuln_id_from_tool)
self.assertEqual("Info", finding.severity)
description = """**Result message:** export DOCKER_CONTENT_TRUST=1 before docker pull/build
**Rule short description:** Enable Content trust for Docker"""
self.assertEqual(description, finding.description)
self.assertEqual(
"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0005",
finding.references)
with self.subTest(i=2):
finding = findings[2]
self.assertEqual("CIS-DI-0006", finding.vuln_id_from_tool)
self.assertEqual("Info", finding.severity)
description = """**Result message:** not found HEALTHCHECK statement
**Rule short description:** Add HEALTHCHECK instruction to the container image"""
self.assertEqual(description, finding.description)
self.assertEqual(
"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0006",
finding.references)
with self.subTest(i=3):
finding = findings[3]
self.assertEqual("CIS-DI-0008", finding.vuln_id_from_tool)
self.assertEqual("Info", finding.severity)
description = """**Result message:** setuid file: urwxr-xr-x usr/bin/chfn, setuid file: urwxr-xr-x usr/bin/chsh, setuid file: urwxr-xr-x usr/bin/passwd, setuid file: urwxr-xr-x bin/umount, setuid file: urwxr-xr-x bin/mount, setgid file: grwxr-xr-x usr/bin/wall, setgid file: grwxr-xr-x usr/bin/expiry, setuid file: urwxr-xr-x bin/su, setgid file: grwxr-xr-x sbin/unix_chkpwd, setuid file: urwxr-xr-x usr/bin/gpasswd, setgid file: grwxr-xr-x usr/bin/chage, setuid file: urwxr-xr-x usr/bin/newgrp
**Rule short description:** Confirm safety of setuid/setgid files"""
self.assertEqual(description, finding.description)
self.assertEqual(
"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0008",
finding.references)
def test_example2_report(self):
testfile = open("dojo/unittests/scans/sarif/appendix_k.sarif")
test = Test()
parser = SarifParser()
findings = parser.get_findings(testfile, test)
self.assertIsNotNone(test.title)
self.assertEqual(1, len(findings))
item = findings[0]
self.assertEqual("collections/list.h", item.file_path)
self.assertEqual(15, item.line)
self.assertEqual("Critical", item.severity)
self.assertEqual("A variable was used without being initialized.",
item.description)
self.assertEqual(True, item.static_finding)
self.assertEqual(False, item.dynamic_finding)
def test_example_k4_report_mitigation(self):
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/appendix_k4.sarif"))
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(1, len(findings))
for finding in findings:
self.common_checks(finding)
with self.subTest(i=0):
finding = findings[0]
self.assertEqual(
'Variable "ptr" was used without being initialized. It was declared [here](0).', finding.title
)
self.assertEqual("C2001", finding.vuln_id_from_tool)
self.assertEqual("collections/list.h", finding.file_path)
self.assertEqual("Initialize the variable to null", finding.mitigation)
def test_appendix_k1_double_interfacev2(self):
testfile = open(path.join(path.dirname(__file__), "../scans/sarif/appendix_k1_double.sarif"))
parser = SarifParser()
tests = parser.get_tests(parser.get_scan_types()[0], testfile)
self.assertEqual(2, len(tests))
with self.subTest(test=0):
test = tests[0]
self.assertEqual("CodeScanner", test.type)
findings = test.findings
self.assertEqual(0, len(findings))
with self.subTest(test=1):
test = tests[1]
self.assertEqual("OtherScanner", test.type)
findings = test.findings
self.assertEqual(0, len(findings))
def test_example2_report(self):
testfile = open("dojo/unittests/scans/sarif/appendix_k.sarif")
parser = SarifParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(1, len(findings))
item = findings[0]
self.assertEqual("collections/list.h", item.file_path)
self.assertEqual(15, item.line)
self.assertEqual("Critical", item.severity)
self.assertEqual(
"A variable was used without being initialized.", item.description
)
self.assertEqual(datetime.datetime(2016, 7, 16, 14, 19, 1, tzinfo=datetime.timezone.utc), item.date)
for finding in findings:
self.common_checks(finding)
def test_import_scan(self):
scan = open(get_unit_tests_path() + "/scans/sarif/spotbugs.sarif")
scan_type = SarifParser().get_scan_types()[0] # SARIF format implement the new method
user, _ = User.objects.get_or_create(username="******")
user_reporter, _ = User.objects.get_or_create(username="******")
product_type, _ = Product_Type.objects.get_or_create(name="test2")
product, _ = Product.objects.get_or_create(
name="TestDojoDefaultImporter2",
prod_type=product_type,
)
engagement, _ = Engagement.objects.get_or_create(
name="Test Create Engagement2",
product=product,
target_start=timezone.now(),
target_end=timezone.now(),
)
importer = Importer()
scan_date = None
environment, _ = Development_Environment.objects.get_or_create(name="Development")
test, len_new_findings, len_closed_findings, _ = importer.import_scan(scan, scan_type, engagement, lead=None, environment=environment,
active=True, verified=True, tags=None, minimum_severity=None,
user=user, endpoints_to_add=None, scan_date=scan_date, version=None, branch_tag=None, build_id=None,
commit_hash=None, push_to_jira=None, close_old_findings=False, group_by=None, api_scan_configuration=None)
self.assertEqual(f"SpotBugs Scan ({scan_type})", test.test_type.name)
self.assertEqual(56, len_new_findings)
self.assertEqual(0, len_closed_findings)
def test_example_report(self):
testfile = 'dojo/unittests/scans/sarif/DefectDojo_django-DefectDojo__2020-12-11_13 42 10__export.sarif'
test = Test()
with open(testfile) as f:
parser = SarifParser(f, test)
self.assertIsNotNone(test.title)
self.assertEqual(510, len(parser.items))
def test_example_k1_report(self):
testfile = 'dojo/unittests/scans/sarif/appendix_k1.sarif'
test = Test()
with open(testfile) as f:
parser = SarifParser(f, test)
self.assertIsNotNone(test.title)
self.assertEqual(0, len(parser.items))
